Activation Lock for Apple Devices
Activation Lock is a security feature on Apple devices which prompts for Apple ID credentials after a device is factory reset. This makes it difficult for someone to use or sell an Apple device if it is lost or stolen.
Systems Manager can manage Activation Lock state on Apple devices. This functionality requires supervision to be enabled on the target device. If an Apple device is supervised, administrators have the following capabilities:
- Allow/Prevent Activation Lock
- Force enable MDM Activation Lock (also requires automated device enrollment via Apple's Device Enrollment Program)
- Clear the Activation Lock state remotely
Allow Apple ID Activation Lock
End users can enable Activation Lock when signing into Find My iPhone/iPad on the device with their Apple ID credentials. This ability is disabled by default if the device is supervised at the time of enrollment.
To allow end users to enable Activation Lock with Find My:
- Go to Manage > Settings
- Create a "Privacy and Lock" configuration profile
- Check the box for "Allow Activation Lock"
- Scope the configuration profile to the desired tags and save
Warning: For devices enrolled with DEP before August 12, 2019, "Allow Activation Lock" may have been enabled by default. If Activation Lock is enabled after wiping a device, try one of the following steps:
- Enter Apple ID username and password of the last known user
- Use Clear Activation Lock method
Enable MDM Activation Lock
When a supervised Apple device is enrolled using automated device enrollment (ADE), then Systems Manager can force enable Activation Lock using the ADE token from Apple Business Manager or Apple School Manager. This method provides administrators with the added reassurance that their devices are protected by Activation Lock should they be lost or stolen, and can reactivate a device with known credentials if it is wiped while Activation Lock is enabled.
To enable MDM Activation Lock automatically at the time of ADE enrollment:
- Go to Manage > Settings
- Create a "Privacy and Lock" configuration profile
- Check the box for "Allow MDM Activation Lock"
- Scope the configuration profile to the desired tags and save
MDM Activation Lock can also be enabled on a per device basis for ADE-enrolled devices. Go to the Systems Manager > Devices list and click on the target device to access its device details. Under the MDM Commands section, the Enable Activation Lock option will send a command to Apple to enable Activation Lock on the device.
Warning: For devices enrolled with ADE before August 12, 2019 (previously known as DEP at this time), "Allow MDM Activation Lock" may have been enabled by default. If Activation Lock is enabled after wiping a device, try one of the following steps:
- Enter Apple ID username and password of the linked Apple Business Manager or Apple School Manager administrator.
- Use an Activation Lock bypass method
Checking Activation Lock Status
Quickly checking all devices' current Activation Lock state is easy in Systems Manager. Go to the Systems Manager > Devices list and add the column (gear icon) for Activation Lock:
Activation Lock status can also be viewed for a specific device on the device details page under the Management section. The two statuses are:
- Activation Lock - Activation Lock status if enabled via Find my iPhone/iPad on the device. If status is Enabled, Activation Lock may be linked to the end user's Apple ID.
- MDM Activation Lock - Activation Lock status if enabled via Systems Manager command. If status is Enabled, Activation Lock may be linked to the Apple ID of Apple Business Manager or Apple School Manager administrator account.
Clearing Activation Lock
Systems Manager contains tooling that can be used to remove the Activation Lock status from a device.
Prerequisites
To clear Activation Lock, the following criteria must be met:
- The target device must be enrolled in a Systems Manager network
- The target device is running iOS/iPadOS/tvOS 7.1+ or macOS 10.15+ with a T2 chip (full macOS requirements here)
- The target device must be supervised, using Apple Configurator or Apple's ADE
- Activation Lock was enabled via MDM or Find my iPhone/iPad on the target device
Clearing Activation Lock (Single Device)
Once the prerequisites are met, the Activation Lock tools will appear under the MDM commands section of the device details page.
Note: The device must be supervised and enrolled in Systems Manager prior to Find my iPad/iPhone being enabled.
The Clear Activation Lock command automatically releases the device from an Activation Locked state using the last known bypass code(s). It may be necessary to tap Back on the device before being able to proceed with activation if the device is already factory reset.
The Show bypass code command reveals the unique activation lock bypass code received by Cisco Meraki from Apple. If the device has already been factory reset and reactivated, at the Activate iPhone/iPad screen, administrators can manually enter the bypass code in the password field and leave the Apple ID field blank.
Some versions of MacOS, iPadOS, and iOS may reject the code with dashes included. If the code is rejected, attempt without the dashes or use the clear activation lock command instead.
Clearing Activation Lock (In Bulk)
If Activation Lock is enabled on multiple devices, and the devices meet all of the prerequisites, Systems Manager can attempt to bypass Activation Lock for all target devices at once. Click the checkbox to select devices in Systems Manager > Devices. Then choose Command > Bypass Activation Lock.
Only devices that meet the prerequisites and currently have Activation Lock enabled will be attempted:
Note: Mass clear activation lock commands are enqueued within Meraki Systems Manager and then sent to Apple. A "Status: Success" on this modal means that the job was successfully enqueued to be bypassed in Meraki Systems Manager. The requests processing between Meraki and Apple may take several minutes after this, depending on the number of devices you are attempting to bypass. Check back on the devices list in a few minutes to confirm that Activation Lock status changes from Enabled to Disabled. If you are having a problem with a particular device, try "Bypass Activation Lock - Single Device" to view any errors on the bypass attempt returned from Apple.
Troubleshooting Bypass Activation Lock
In the unfortunate event where Systems Manager is unable to bypass an Activation Lock we suggest reaching out to Apple Enterprise Support as they have dedicated support options to bypass the Activation Lock. The best Meraki can do is try with the Bypass Activation Lock command or manually try to enter the bypass code for the Apple ID password. When these do not work we need to loop in Apple for assistance to unlock the Activation Lock on Apple's servers. You can also unlock a single device by signing in with the Apple ID.